There’s a new variant of the HawkEye keylogging malware making the rounds, featuring expanded info-stealing capabilities. Its operators are looking to capture the zeitgeist around the novel coronavirus. It’s being distributed using spam that purports to be an “alert” from the Director-General of the World Health Organization (WHO).
The email campaign kicked off Thursday and has rolled out in multiple waves, according to IBM X-Force researchers. In a posting on Friday, researchers at the firm said that the mails claim to be directly from WHO’s Dr. Tedros Adhanom Ghebreyesus, giving an update on COVID-19 infections and drug advice. The mails are personalized in the salutations in the message body, which contain a username stripped out of the email address.
While the HawkEye keylogger has been in continuous development since 2013, it did see an ownership change in December 2018 and has been particularly resurgent since then. “HawkEye Reborn v9” was seen throughout 2019, sporting updated anti-detection features and a new licensing model – i.e., purchasers gain access to the software and future updates based on a varying tiered pricing model.
“The current developer of the HawkEye Reborn keylogger/stealer is continuously adding support for different applications and software platforms to facilitate the theft of sensitive information and account credentials,” researchers told Threatpost last year. “The malware has recently undergone changes to the way in which it is obfuscated and additional anti-analysis techniques have been implemented as well.”
The variant spotted this week is called “CURE.exe” by X-Force. Beyond keylogging, the new sample is capable of stealing credentials from browsers and email clients, including: Mozilla; Postbox; Thunderbird; SeaMonkey; Flock; BlackHawk; CyberFox; KMeleon; IceCat; PaleMoon; IceDragon; and WaterFox. It also can capture screenshots.
Once the credentials and other data are captured, they’re encrypted and sent by the SMPT protocol (email) to the operators. They have coded the email address and password within the malware to automate the delivery of the stolen information.
Under the Hood
HawkEye infections start with a loader, which is a .NET executable file that is obfuscated by the combination of ConfuserEx and Cassandra protector. From there, multiple other layers are used to further avoid analysis and detection.
“Once executed, it will search and execute another .NET executable file network Interfaces2.dll and load a bitmap image rgXREoRSAprmgvAqTsKhilTYhemNa.png in its resource section,” researchers explained.
This second executable is tasked with reading the bitmap image in order to extract an encoded assembly code from it.
“The image is parsed by columns from top to bottom, starting from the leftmost column to go to the right,” according to the analysis. “For each pixel thus encountered, if the color of these (including the alpha channel) is different from the color of the pixel, a (0, 0), or in the upper left corner, adds three bytes to the payload array. The three bytes are, in order: the red, green, and blue channel of the pixel.”
Once the code is extracted, the executable uses the first 16 bytes of the bitmap image as an XOR key to decode the rest of the image.
The decoded payload is yet another .NET executable file, called “ReZer0V2.exe.” This sets about turning off Windows Defender by changing various registry items; and, it runs a PowerShell command to uncover the infected machine’s preferences for Windows Defender scans and updates, and then turns them off.
After checking for VMs and sandboxes, the sample uses process hollowing to inject its payload into files the .NET framework directory, researchers explained. This final payload is the actual HawkEye keylogger.
Interestingly, this latest variant can also download other malware from a hardcoded URL (ypsmKO[dot]com).
“Victims, once infected with the keylogger, will face the loss of critical personal information,” according to the analysis. “This can have even more damaging consequences once their financial information is stolen and exposed.”
As for capitalizing on coronavirus fears to lure victims in, the tactic is a snowballing social-engineering tactic that researchers are seeing more and more as the pandemic continues to spread. Attackers continue to leverage coronavirus-themed cyberattacks – including malware attacks, booby-trapped URLs, credential-stuffing scams and even APT activity.
In a recent Threatpost poll, a full 40 percent of those companies reported seeing increased cyberattacks as they enable remote working, with the majority of attacks centering on disease-themed phishing and spam emails.
“Unfortunately with the pandemic of the coronavirus happening, it only entices the criminals to increase their social engineering and phishing email scams and target people’s fear with false information,” said James McQuiggan, security awareness advocate at KnowBe4. “The criminals rely on people’s fears for information and lure them to open attachments or click the links to load malware onto their systems to have their systems compromised.”
He added, “It is recommended that people be alert to these types of scams and ignore emails relating to this kind of information and instead, rely on trusted sources and organizations that are providing accurate information relating to this pandemic.”